diff options
| author | Sam Hartman <hartmans@debian.org> | 2023-09-13 13:39:21 -0600 |
|---|---|---|
| committer | Sam Hartman <hartmans@debian.org> | 2023-09-15 10:07:02 -0600 |
| commit | 044f34343536f475ba556fcf4ac184b11c2d8bc5 (patch) | |
| tree | bdd797e288081e92b747072fa551cb3963e6f01b | |
| parent | eaa4580a294ab953a9f97929d60edf9a3b0e5f98 (diff) | |
Drop NIS patches
and rearrange other patches.
| -rw-r--r-- | debian/patches/0003-pam_unix-obscure-checks.patch (renamed from debian/patches/007_modules_pam_unix) | 6 | ||||
| -rw-r--r-- | debian/patches/008_modules_pam_limits_chroot | 30 | ||||
| -rw-r--r-- | debian/patches/021_nis_cleanup | 31 | ||||
| -rw-r--r-- | debian/patches/027_pam_limits_better_init_allow_explicit_root | 35 | ||||
| -rw-r--r-- | debian/patches/032_pam_limits_EPERM_NOT_FATAL | 4 | ||||
| -rw-r--r-- | debian/patches/036_pam_wheel_getlogin_considered_harmful | 196 | ||||
| -rw-r--r-- | debian/patches/040_pam_limits_log_failure | 4 | ||||
| -rw-r--r-- | debian/patches/PAM-manpage-section | 333 | ||||
| -rw-r--r-- | debian/patches/do_not_check_nis_accidentally | 29 | ||||
| -rw-r--r-- | debian/patches/pam-limits-nofile-fd-setsize-cap | 4 | ||||
| -rw-r--r-- | debian/patches/series | 16 |
11 files changed, 88 insertions, 600 deletions
diff --git a/debian/patches/007_modules_pam_unix b/debian/patches/0003-pam_unix-obscure-checks.patch index 0158a4db..12651a0b 100644 --- a/debian/patches/007_modules_pam_unix +++ b/debian/patches/0003-pam_unix-obscure-checks.patch @@ -1,8 +1,10 @@ From: Sam Hartman <hartmans@debian.org> Date: Mon, 11 Sep 2023 14:00:42 -0600 -Subject: _modules_pam_unix +Subject: pam_unix: obscure checks -=================================================================== +* Bring in the obscure checks that used to live in shadow so we can still support them + +* Set default minimum password length to 6 --- modules/pam_unix/Makefile.am | 2 +- modules/pam_unix/README | 36 ++++++- diff --git a/debian/patches/008_modules_pam_limits_chroot b/debian/patches/008_modules_pam_limits_chroot index 2b414302..5466536f 100644 --- a/debian/patches/008_modules_pam_limits_chroot +++ b/debian/patches/008_modules_pam_limits_chroot @@ -11,10 +11,10 @@ Subject: _modules_pam_limits_chroot 4 files changed, 35 insertions(+), 3 deletions(-) diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf -index e8a746c..9b1d624 100644 +index c6b058a..6b3865c 100644 --- a/modules/pam_limits/limits.conf +++ b/modules/pam_limits/limits.conf -@@ -46,6 +46,7 @@ +@@ -49,6 +49,7 @@ # - msgqueue - max memory used by POSIX message queues (bytes) # - nice - max nice priority allowed to raise to values: [-20, 19] # - rtprio - max realtime priority @@ -22,7 +22,7 @@ index e8a746c..9b1d624 100644 # #<domain> <type> <item> <value> # -@@ -56,6 +57,7 @@ +@@ -60,6 +61,7 @@ #@faculty soft nproc 20 #@faculty hard nproc 50 #ftp hard nproc 0 @@ -31,10 +31,10 @@ index e8a746c..9b1d624 100644 # End of file diff --git a/modules/pam_limits/limits.conf.5 b/modules/pam_limits/limits.conf.5 -index 25f4459..f197ccd 100644 +index 32c4b2f..ce0ca35 100644 --- a/modules/pam_limits/limits.conf.5 +++ b/modules/pam_limits/limits.conf.5 -@@ -279,6 +279,11 @@ rtprio +@@ -283,6 +283,11 @@ rtprio .RS 4 maximum realtime priority allowed for non\-privileged processes (Linux 2\&.6\&.12 and higher) .RE @@ -47,10 +47,10 @@ index 25f4459..f197ccd 100644 .PP All items support the values diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml -index 2177da1..506afda 100644 +index 9f2662a..f6f7d87 100644 --- a/modules/pam_limits/limits.conf.5.xml +++ b/modules/pam_limits/limits.conf.5.xml -@@ -266,6 +266,12 @@ +@@ -271,6 +271,12 @@ (Linux 2.6.12 and higher)</para> </listitem> </varlistentry> @@ -64,10 +64,10 @@ index 2177da1..506afda 100644 </listitem> </varlistentry> diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c -index 87bb4b7..39d99f4 100644 +index 746c441..529d2fc 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c -@@ -94,6 +94,7 @@ struct pam_limit_s { +@@ -104,6 +104,7 @@ struct pam_limit_s { specific user or to count all logins */ int priority; /* the priority to run user process with */ int nonewprivs; /* whether to prctl(PR_SET_NO_NEW_PRIVS) */ @@ -75,7 +75,7 @@ index 87bb4b7..39d99f4 100644 struct user_limits_struct limits[RLIM_NLIMITS]; const char *conf_file; int utmp_after_pam_call; -@@ -105,6 +106,7 @@ struct pam_limit_s { +@@ -115,6 +116,7 @@ struct pam_limit_s { #define LIMIT_PRI RLIM_NLIMITS+3 #define LIMIT_NONEWPRIVS RLIM_NLIMITS+4 @@ -83,7 +83,7 @@ index 87bb4b7..39d99f4 100644 #define LIMIT_SOFT 1 #define LIMIT_HARD 2 -@@ -493,6 +495,8 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) +@@ -570,6 +572,8 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) pl->login_limit = -2; pl->login_limit_def = LIMITS_DEF_NONE; @@ -92,7 +92,7 @@ index 87bb4b7..39d99f4 100644 return retval; } -@@ -600,6 +604,8 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, +@@ -677,6 +681,8 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, limit_item = LIMIT_PRI; } else if (strcmp(lim_item, "nonewprivs") == 0) { limit_item = LIMIT_NONEWPRIVS; @@ -101,7 +101,7 @@ index 87bb4b7..39d99f4 100644 } else { pam_syslog(pamh, LOG_DEBUG, "unknown limit item '%s'", lim_item); return; -@@ -649,9 +655,9 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, +@@ -726,9 +732,9 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, pam_syslog(pamh, LOG_DEBUG, "wrong limit value '%s' for limit type '%s'", lim_value, lim_type); @@ -113,7 +113,7 @@ index 87bb4b7..39d99f4 100644 #ifdef __USE_FILE_OFFSET64 rlimit_value = strtoull (lim_value, &endptr, 10); #else -@@ -726,7 +732,11 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, +@@ -803,7 +809,11 @@ process_limit (const pam_handle_t *pamh, int source, const char *lim_type, break; } @@ -126,7 +126,7 @@ index 87bb4b7..39d99f4 100644 && (limit_item != LIMIT_NUMSYSLOGINS) && (limit_item != LIMIT_PRI) && (limit_item != LIMIT_NONEWPRIVS) ) { -@@ -1084,6 +1094,15 @@ static int setup_limits(pam_handle_t *pamh, +@@ -1163,6 +1173,15 @@ static int setup_limits(pam_handle_t *pamh, } } diff --git a/debian/patches/021_nis_cleanup b/debian/patches/021_nis_cleanup deleted file mode 100644 index 5b0590af..00000000 --- a/debian/patches/021_nis_cleanup +++ /dev/null @@ -1,31 +0,0 @@ -From: Sam Hartman <hartmans@debian.org> -Date: Mon, 11 Sep 2023 14:00:42 -0600 -Subject: _nis_cleanup - -Patch from Philippe Troin <phil@fifi.org> - -Originally this included a bunch of changes to locking, but the more -recent code pulled from Linux_pam CVS seems to fix that issue. ---- - modules/pam_unix/pam_unix_passwd.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c -index 652f3c5..5b81343 100644 ---- a/modules/pam_unix/pam_unix_passwd.c -+++ b/modules/pam_unix/pam_unix_passwd.c -@@ -699,9 +699,12 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) - "password - (old) token not obtained"); - return retval; - } -- /* verify that this is the password for this user */ -+ /* verify that this is the password for this user -+ * if we're not using NIS */ - -- retval = _unix_verify_password(pamh, user, pass_old, ctrl); -+ if (off(UNIX_NIS, ctrl)) { -+ retval = _unix_verify_password(pamh, user, pass_old, ctrl); -+ } - } else { - D(("process run by root so do nothing this time around")); - pass_old = NULL; diff --git a/debian/patches/027_pam_limits_better_init_allow_explicit_root b/debian/patches/027_pam_limits_better_init_allow_explicit_root index a8592256..7d0fdded 100644 --- a/debian/patches/027_pam_limits_better_init_allow_explicit_root +++ b/debian/patches/027_pam_limits_better_init_allow_explicit_root @@ -20,8 +20,8 @@ root that reference root by name. modules/pam_limits/limits.conf | 4 ++ modules/pam_limits/limits.conf.5 | 5 ++ modules/pam_limits/limits.conf.5.xml | 6 +++ - modules/pam_limits/pam_limits.c | 88 ++++++++++++++++++++++++++++++++---- - 5 files changed, 95 insertions(+), 9 deletions(-) + modules/pam_limits/pam_limits.c | 89 ++++++++++++++++++++++++++++++++---- + 5 files changed, 96 insertions(+), 9 deletions(-) diff --git a/modules/pam_limits/README b/modules/pam_limits/README index 98264b9..dc560ef 100644 @@ -36,7 +36,7 @@ index 98264b9..dc560ef 100644 @student hard nproc 20 @faculty soft nproc 20 diff --git a/modules/pam_limits/limits.conf b/modules/pam_limits/limits.conf -index 9b1d624..6b3865c 100644 +index e8a746c..c6b058a 100644 --- a/modules/pam_limits/limits.conf +++ b/modules/pam_limits/limits.conf @@ -22,6 +22,9 @@ @@ -49,7 +49,7 @@ index 9b1d624..6b3865c 100644 # #<type> can have the two values: # - "soft" for enforcing the soft limits -@@ -52,6 +55,7 @@ +@@ -51,6 +54,7 @@ # #* soft core 0 @@ -58,7 +58,7 @@ index 9b1d624..6b3865c 100644 #@student hard nproc 20 #@faculty soft nproc 20 diff --git a/modules/pam_limits/limits.conf.5 b/modules/pam_limits/limits.conf.5 -index f197ccd..ce0ca35 100644 +index 25f4459..32c4b2f 100644 --- a/modules/pam_limits/limits.conf.5 +++ b/modules/pam_limits/limits.conf.5 @@ -145,6 +145,10 @@ a gid specified as @@ -72,7 +72,7 @@ index f197ccd..ce0ca35 100644 .RE .PP <type> -@@ -327,6 +331,7 @@ These are some example lines which might be specified in +@@ -322,6 +326,7 @@ These are some example lines which might be specified in .\} .nf * soft core 0 @@ -81,7 +81,7 @@ index f197ccd..ce0ca35 100644 @student hard nproc 20 @faculty soft nproc 20 diff --git a/modules/pam_limits/limits.conf.5.xml b/modules/pam_limits/limits.conf.5.xml -index 506afda..f6f7d87 100644 +index 2177da1..9f2662a 100644 --- a/modules/pam_limits/limits.conf.5.xml +++ b/modules/pam_limits/limits.conf.5.xml @@ -89,6 +89,11 @@ @@ -96,7 +96,7 @@ index 506afda..f6f7d87 100644 </listitem> </varlistentry> -@@ -326,6 +331,7 @@ +@@ -320,6 +325,7 @@ </para> <programlisting> * soft core 0 @@ -105,10 +105,10 @@ index 506afda..f6f7d87 100644 @student hard nproc 20 @faculty soft nproc 20 diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c -index 39d99f4..601d926 100644 +index 87bb4b7..adda08b 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c -@@ -47,10 +47,18 @@ +@@ -47,10 +47,19 @@ #include <libaudit.h> #endif @@ -123,11 +123,12 @@ index 39d99f4..601d926 100644 +#else +#define MLOCK_LIMIT (64*1024) +#endif ++#endif + /* Module defines */ #define LINE_LENGTH 1024 -@@ -88,6 +96,7 @@ struct user_limits_struct { +@@ -88,6 +97,7 @@ struct user_limits_struct { /* internal data */ struct pam_limit_s { @@ -135,7 +136,7 @@ index 39d99f4..601d926 100644 int login_limit; /* the max logins limit */ int login_limit_def; /* which entry set the login limit */ int flag_numsyslogins; /* whether to limit logins only for a -@@ -457,9 +466,18 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) +@@ -455,9 +465,18 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) { int i; int retval = PAM_SUCCESS; @@ -154,7 +155,7 @@ index 39d99f4..601d926 100644 for(i = 0; i < RLIM_NLIMITS; i++) { int r = getrlimit(i, &pl->limits[i].limit); if (r == -1) { -@@ -475,18 +493,68 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) +@@ -473,18 +492,68 @@ static int init_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int ctrl) } #ifdef __linux__ @@ -229,7 +230,7 @@ index 39d99f4..601d926 100644 errno = 0; pl->priority = getpriority (PRIO_PROCESS, 0); -@@ -895,7 +963,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, +@@ -885,7 +954,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, if (strcmp(uname, domain) == 0) /* this user have a limit */ process_limit(pamh, LIMITS_DEF_USER, ltype, item, value, ctrl, pl); @@ -238,7 +239,7 @@ index 39d99f4..601d926 100644 if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", -@@ -921,7 +989,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, +@@ -911,7 +980,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, process_limit(pamh, LIMITS_DEF_GROUP, ltype, item, value, ctrl, pl); } @@ -247,7 +248,7 @@ index 39d99f4..601d926 100644 if (ctrl & PAM_DEBUG_ARG) { pam_syslog(pamh, LOG_DEBUG, "checking if %s is in group %s", -@@ -955,7 +1023,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, +@@ -945,7 +1014,7 @@ parse_config_file(pam_handle_t *pamh, const char *uname, uid_t uid, gid_t gid, } else { switch(rngtype) { case LIMIT_RANGE_NONE: @@ -256,7 +257,7 @@ index 39d99f4..601d926 100644 process_limit(pamh, LIMITS_DEF_DEFAULT, ltype, item, value, ctrl, pl); break; -@@ -1247,6 +1315,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, +@@ -1228,6 +1297,8 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, return PAM_ABORT; } diff --git a/debian/patches/032_pam_limits_EPERM_NOT_FATAL b/debian/patches/032_pam_limits_EPERM_NOT_FATAL index 0eea42ef..62656746 100644 --- a/debian/patches/032_pam_limits_EPERM_NOT_FATAL +++ b/debian/patches/032_pam_limits_EPERM_NOT_FATAL @@ -15,10 +15,10 @@ Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> 1 file changed, 2 insertions(+) diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c -index 601d926..acf4ec4 100644 +index a58d424..746c441 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c -@@ -1125,6 +1125,8 @@ static int setup_limits(pam_handle_t *pamh, +@@ -1124,6 +1124,8 @@ static int setup_limits(pam_handle_t *pamh, if (res != 0) pam_syslog(pamh, LOG_ERR, "Could not set limit for '%s': %m", rlimit2str(i)); diff --git a/debian/patches/036_pam_wheel_getlogin_considered_harmful b/debian/patches/036_pam_wheel_getlogin_considered_harmful index 781839dd..43979153 100644 --- a/debian/patches/036_pam_wheel_getlogin_considered_harmful +++ b/debian/patches/036_pam_wheel_getlogin_considered_harmful @@ -12,12 +12,10 @@ Authors: Ben Collins <bcollins@debian.org> Upstream status: submitted in <20070901175405.GA26092@dario.dodds.net> --- - modules/pam_wheel/README | 6 -- - modules/pam_wheel/pam_wheel.8 | 147 -------------------------------------- - modules/pam_wheel/pam_wheel.8.xml | 2 +- - modules/pam_wheel/pam_wheel.c | 45 +++--------- - 4 files changed, 10 insertions(+), 190 deletions(-) - delete mode 100644 modules/pam_wheel/pam_wheel.8 + modules/pam_wheel/README | 6 ------ + modules/pam_wheel/pam_wheel.8.xml | 17 +-------------- + modules/pam_wheel/pam_wheel.c | 45 ++++++++------------------------------- + 3 files changed, 10 insertions(+), 58 deletions(-) diff --git a/modules/pam_wheel/README b/modules/pam_wheel/README index 5dae4b6..ec9e7d7 100644 @@ -36,164 +34,40 @@ index 5dae4b6..ec9e7d7 100644 EXAMPLES The root account gains access by default (rootok), only wheel members can -diff --git a/modules/pam_wheel/pam_wheel.8 b/modules/pam_wheel/pam_wheel.8 -deleted file mode 100644 -index 8077e81..0000000 ---- a/modules/pam_wheel/pam_wheel.8 -+++ /dev/null -@@ -1,147 +0,0 @@ --'\" t --.\" Title: pam_wheel --.\" Author: [see the "AUTHOR" section] --.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> --.\" Date: 05/07/2023 --.\" Manual: Linux-PAM Manual --.\" Source: Linux-PAM --.\" Language: English --.\" --.TH "PAM_WHEEL" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" --.\" ----------------------------------------------------------------- --.\" * Define some portability stuff --.\" ----------------------------------------------------------------- --.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --.\" http://bugs.debian.org/507673 --.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html --.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --.ie \n(.g .ds Aq \(aq --.el .ds Aq ' --.\" ----------------------------------------------------------------- --.\" * set default formatting --.\" ----------------------------------------------------------------- --.\" disable hyphenation --.nh --.\" disable justification (adjust text to left margin only) --.ad l --.\" ----------------------------------------------------------------- --.\" * MAIN CONTENT STARTS HERE * --.\" ----------------------------------------------------------------- --.SH "NAME" --pam_wheel \- Only permit root access to members of group wheel --.SH "SYNOPSIS" --.HP \w'\fBpam_wheel\&.so\fR\ 'u --\fBpam_wheel\&.so\fR [debug] [deny] [group=\fIname\fR] [root_only] [trust] [use_uid] --.SH "DESCRIPTION" --.PP --The pam_wheel PAM module is used to enforce the so\-called --\fIwheel\fR --group\&. By default it permits access to the target user if the applicant user is a member of the --\fIwheel\fR --group\&. If no group with this name exist, the module is using the group with the group\-ID --\fB0\fR\&. --.SH "OPTIONS" --.PP --debug --.RS 4 --Print debug information\&. --.RE --.PP --deny --.RS 4 --Reverse the sense of the auth operation: if the user is trying to get UID 0 access and is a member of the wheel group (or the group of the --\fBgroup\fR --option), deny access\&. Conversely, if the user is not in the group, return PAM_IGNORE (unless --\fBtrust\fR --was also specified, in which case we return PAM_SUCCESS)\&. --.RE --.PP --group=name --.RS 4 --Instead of checking the wheel or GID 0 groups, use the --\fB\fIname\fR\fR --group to perform the authentication\&. --.RE --.PP --root_only --.RS 4 --The check for wheel membership is done only when the target user UID is 0\&. --.RE --.PP --trust --.RS 4 --The pam_wheel module will return PAM_SUCCESS instead of PAM_IGNORE if the user is a member of the wheel group (thus with a little play stacking the modules the wheel members may be able to su to root without being prompted for a passwd)\&. --.RE --.PP --use_uid --.RS 4 --The check will be done against the real uid of the calling process, instead of trying to obtain the user from the login session associated with the terminal in use\&. --.RE --.SH "MODULE TYPES PROVIDED" --.PP --The --\fBauth\fR --and --\fBaccount\fR --module types are provided\&. --.SH "RETURN VALUES" --.PP --PAM_AUTH_ERR --.RS 4 --Authentication failure\&. --.RE --.PP --PAM_BUF_ERR --.RS 4 --Memory buffer error\&. --.RE --.PP --PAM_IGNORE --.RS 4 --The return value should be ignored by PAM dispatch\&. --.RE --.PP --PAM_PERM_DENY --.RS 4 --Permission denied\&. --.RE --.PP --PAM_SERVICE_ERR --.RS 4 --Cannot determine the user name\&. --.RE --.PP --PAM_SUCCESS --.RS 4 --Success\&. --.RE --.PP --PAM_USER_UNKNOWN --.RS 4 --User not known\&. --.RE --.SH "EXAMPLES" --.PP --The root account gains access by default (rootok), only wheel members can become root (wheel) but Unix authenticate non\-root applicants\&. --.sp --.if n \{\ --.RS 4 --.\} --.nf --su auth sufficient pam_rootok\&.so --su auth required pam_wheel\&.so --su auth required pam_unix\&.so -- --.fi --.if n \{\ --.RE --.\} --.sp --.SH "SEE ALSO" --.PP --\fBpam.conf\fR(5), --\fBpam.d\fR(5), --\fBpam\fR(8) --.SH "AUTHOR" --.PP --pam_wheel was written by Cristian Gafton <gafton@redhat\&.com>\&. diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml -index af0fd61..0e89002 100644 +index af0fd61..b42e27d 100644 --- a/modules/pam_wheel/pam_wheel.8.xml +++ b/modules/pam_wheel/pam_wheel.8.xml -@@ -237,4 +237,4 @@ su auth required pam_unix.so +@@ -30,9 +30,6 @@ + <arg choice="opt" rep="norepeat"> + trust + </arg> +- <arg choice="opt" rep="norepeat"> +- use_uid +- </arg> + </cmdsynopsis> + </refsynopsisdiv> + +@@ -113,18 +110,6 @@ + </para> + </listitem> + </varlistentry> +- <varlistentry> +- <term> +- use_uid +- </term> +- <listitem> +- <para> +- The check will be done against the real uid of the calling process, +- instead of trying to obtain the user from the login session +- associated with the terminal in use. +- </para> +- </listitem> +- </varlistentry> + </variablelist> + </refsect1> + +@@ -237,4 +222,4 @@ su auth required pam_unix.so </para> </refsect1> diff --git a/debian/patches/040_pam_limits_log_failure b/debian/patches/040_pam_limits_log_failure index 855b8edb..acb79450 100644 --- a/debian/patches/040_pam_limits_log_failure +++ b/debian/patches/040_pam_limits_log_failure @@ -15,10 +15,10 @@ Upstream status: submitted in <20070830171918.GB30563@dario.dodds.net> 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c -index acf4ec4..bb81559 100644 +index 529d2fc..da83b70 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c -@@ -1122,9 +1122,19 @@ static int setup_limits(pam_handle_t *pamh, +@@ -1131,9 +1131,19 @@ static int setup_limits(pam_handle_t *pamh, if (pl->limits[i].limit.rlim_cur > pl->limits[i].limit.rlim_max) pl->limits[i].limit.rlim_cur = pl->limits[i].limit.rlim_max; res = setrlimit(i, &pl->limits[i].limit); diff --git a/debian/patches/PAM-manpage-section b/debian/patches/PAM-manpage-section index d1c83470..0f913973 100644 --- a/debian/patches/PAM-manpage-section +++ b/debian/patches/PAM-manpage-section @@ -55,7 +55,6 @@ Upstream status: maybe provide a backwards-compatibility link first? modules/pam_deny/pam_deny.8.xml | 2 +- modules/pam_echo/pam_echo.8 | 2 +- modules/pam_echo/pam_echo.8.xml | 2 +- - modules/pam_env/pam_env.8 | 160 ------------------ modules/pam_env/pam_env.8.xml | 2 +- modules/pam_env/pam_env.conf.5 | 2 +- modules/pam_env/pam_env.conf.5.xml | 2 +- @@ -109,7 +108,6 @@ Upstream status: maybe provide a backwards-compatibility link first? modules/pam_rootok/pam_rootok.8.xml | 2 +- modules/pam_securetty/pam_securetty.8 | 2 +- modules/pam_securetty/pam_securetty.8.xml | 2 +- - modules/pam_selinux/pam_selinux.8 | 151 ----------------- modules/pam_selinux/pam_selinux.8.xml | 2 +- modules/pam_sepermit/pam_sepermit.8 | 2 +- modules/pam_sepermit/pam_sepermit.8.xml | 2 +- @@ -140,11 +138,9 @@ Upstream status: maybe provide a backwards-compatibility link first? modules/pam_wheel/pam_wheel.8.xml | 2 +- modules/pam_xauth/pam_xauth.8 | 2 +- modules/pam_xauth/pam_xauth.8.xml | 2 +- - 131 files changed, 127 insertions(+), 788 deletions(-) + 129 files changed, 127 insertions(+), 477 deletions(-) delete mode 100644 doc/man/PAM.8 delete mode 100644 doc/man/pam.8.xml - delete mode 100644 modules/pam_env/pam_env.8 - delete mode 100644 modules/pam_selinux/pam_selinux.8 diff --git a/doc/man/PAM.8 b/doc/man/PAM.8 deleted file mode 100644 @@ -1056,172 +1052,6 @@ index 07b793d..cf2d006 100644 </citerefentry></para> </refsect1> -diff --git a/modules/pam_env/pam_env.8 b/modules/pam_env/pam_env.8 -deleted file mode 100644 -index f4e15f3..0000000 ---- a/modules/pam_env/pam_env.8 -+++ /dev/null -@@ -1,160 +0,0 @@ --'\" t --.\" Title: pam_env --.\" Author: [see the "AUTHOR" section] --.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> --.\" Date: 05/07/2023 --.\" Manual: Linux-PAM Manual --.\" Source: Linux-PAM --.\" Language: English --.\" --.TH "PAM_ENV" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" --.\" ----------------------------------------------------------------- --.\" * Define some portability stuff --.\" ----------------------------------------------------------------- --.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --.\" http://bugs.debian.org/507673 --.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html --.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --.ie \n(.g .ds Aq \(aq --.el .ds Aq ' --.\" ----------------------------------------------------------------- --.\" * set default formatting --.\" ----------------------------------------------------------------- --.\" disable hyphenation --.nh --.\" disable justification (adjust text to left margin only) --.ad l --.\" ----------------------------------------------------------------- --.\" * MAIN CONTENT STARTS HERE * --.\" ----------------------------------------------------------------- --.SH "NAME" --pam_env \- PAM module to set/unset environment variables --.SH "SYNOPSIS" --.HP \w'\fBpam_env\&.so\fR\ 'u --\fBpam_env\&.so\fR [debug] [conffile=\fIconf\-file\fR] [envfile=\fIenv\-file\fR] [readenv=\fI0|1\fR] [user_envfile=\fIenv\-file\fR] [user_readenv=\fI0|1\fR] --.SH "DESCRIPTION" --.PP --The pam_env PAM module allows the (un)setting of environment variables\&. Supported is the use of previously set environment variables as well as --\fIPAM_ITEM\fRs such as --\fIPAM_RHOST\fR\&. --.PP --By default rules for (un)setting of variables are taken from the config file --/etc/security/pam_env\&.conf\&. An alternate file can be specified with the --\fIconffile\fR --option\&. --.PP --Second a file (/etc/environment --by default) with simple --\fIKEY=VAL\fR --pairs on separate lines will be read\&. With the --\fIenvfile\fR --option an alternate file can be specified\&. And with the --\fIreadenv\fR --option this can be completely disabled\&. --.PP --Third it will read a user configuration file ($HOME/\&.pam_environment --by default)\&. The default file can be changed with the --\fIuser_envfile\fR --option and it can be turned on and off with the --\fIuser_readenv\fR --option\&. --.PP --Since setting of PAM environment variables can have side effects to other modules, this module should be the last one on the stack\&. --.SH "OPTIONS" --.PP --conffile=/path/to/pam_env\&.conf --.RS 4 --Indicate an alternative --pam_env\&.conf --style configuration file to override the default\&. This can be useful when different services need different environments\&. --.RE --.PP --debug --.RS 4 --A lot of debug information is printed with --\fBsyslog\fR(3)\&. --.RE --.PP --envfile=/path/to/environment --.RS 4 --Indicate an alternative --environment --file to override the default\&. The syntax are simple --\fIKEY=VAL\fR --pairs on separate lines\&. The --\fIexport\fR --instruction can be specified for bash compatibility, but will be ignored\&. This can be useful when different services need different environments\&. --.RE --.PP --readenv=0|1 --.RS 4 --Turns on or off the reading of the file specified by envfile (0 is off, 1 is on)\&. By default this option is on\&. --.RE --.PP --user_envfile=filename --.RS 4 --Indicate an alternative --\&.pam_environment --file to override the default\&.The syntax is the same as for --\fI/etc/security/pam_env\&.conf\fR\&. The filename is relative to the user home directory\&. This can be useful when different services need different environments\&. --.RE --.PP --user_readenv=0|1 --.RS 4 --Turns on or off the reading of the user specific environment file\&. 0 is off, 1 is on\&. By default this option is off as user supplied environment variables in the PAM environment could affect behavior of subsequent modules in the stack without the consent of the system administrator\&. --.sp --Due to problematic security this functionality is deprecated since the 1\&.5\&.0 version and will be removed completely at some point in the future\&. --.RE --.SH "MODULE TYPES PROVIDED" --.PP --The --\fBauth\fR --and --\fBsession\fR --module types are provided\&. --.SH "RETURN VALUES" --.PP --PAM_ABORT --.RS 4 --Not all relevant data or options could be gotten\&. --.RE --.PP --PAM_BUF_ERR --.RS 4 --Memory buffer error\&. --.RE --.PP --PAM_IGNORE --.RS 4 --No pam_env\&.conf and environment file was found\&. --.RE --.PP --PAM_SUCCESS --.RS 4 --Environment variables were set\&. --.RE --.SH "FILES" --.PP --/etc/security/pam_env\&.conf --.RS 4 --Default configuration file --.RE --.PP --/etc/environment --.RS 4 --Default environment file --.RE --.PP --$HOME/\&.pam_environment --.RS 4 --User specific environment file --.RE --.SH "SEE ALSO" --.PP --\fBpam_env.conf\fR(5), --\fBpam.d\fR(5), --\fBpam\fR(8), --\fBenviron\fR(7)\&. --.SH "AUTHOR" --.PP --pam_env was written by Dave Kinchlea <kinch@kinch\&.ark\&.com>\&. diff --git a/modules/pam_env/pam_env.8.xml b/modules/pam_env/pam_env.8.xml index fb172e1..a720d37 100644 --- a/modules/pam_env/pam_env.8.xml @@ -1911,163 +1741,6 @@ index 9038f5b..fcf0e88 100644 </citerefentry> </para> </refsect1> -diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8 -deleted file mode 100644 -index 260bc47..0000000 ---- a/modules/pam_selinux/pam_selinux.8 -+++ /dev/null -@@ -1,151 +0,0 @@ --'\" t --.\" Title: pam_selinux --.\" Author: [see the "AUTHOR" section] --.\" Generator: DocBook XSL Stylesheets v1.79.2 <http://docbook.sf.net/> --.\" Date: 05/07/2023 --.\" Manual: Linux-PAM Manual --.\" Source: Linux-PAM --.\" Language: English --.\" --.TH "PAM_SELINUX" "8" "05/07/2023" "Linux\-PAM" "Linux\-PAM Manual" --.\" ----------------------------------------------------------------- --.\" * Define some portability stuff --.\" ----------------------------------------------------------------- --.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --.\" http://bugs.debian.org/507673 --.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html --.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ --.ie \n(.g .ds Aq \(aq --.el .ds Aq ' --.\" ----------------------------------------------------------------- --.\" * set default formatting --.\" ----------------------------------------------------------------- --.\" disable hyphenation --.nh --.\" disable justification (adjust text to left margin only) --.ad l --.\" ----------------------------------------------------------------- --.\" * MAIN CONTENT STARTS HERE * --.\" ----------------------------------------------------------------- --.SH "NAME" --pam_selinux \- PAM module to set the default security context --.SH "SYNOPSIS" --.HP \w'\fBpam_selinux\&.so\fR\ 'u --\fBpam_selinux\&.so\fR [open] [close] [restore] [nottys] [debug] [verbose] [select_context] [env_params] [use_current_range] --.SH "DESCRIPTION" --.PP --pam_selinux is a PAM module that sets up the default SELinux security context for the next executed process\&. --.PP --When a new session is started, the open_session part of the module computes and sets up the execution security context used for the next --\fBexecve\fR(2) --call, the file security context for the controlling terminal, and the security context used for creating a new kernel keyring\&. --.PP --When the session is ended, the close_session part of the module restores old security contexts that were in effect before the change made by the open_session part of the module\&. --.PP --Adding pam_selinux into the PAM stack might disrupt behavior of other PAM modules which execute applications\&. To avoid that, --\fIpam_selinux\&.so open\fR --should be placed after such modules in the PAM stack, and --\fIpam_selinux\&.so close\fR --should be placed before them\&. When such a placement is not feasible, --\fIpam_selinux\&.so restore\fR --could be used to temporary restore original security contexts\&. --.SH "OPTIONS" --.PP --open --.RS 4 --Only execute the open_session part of the module\&. --.RE --.PP --close --.RS 4 --Only execute the close_session part of the module\&. --.RE --.PP --restore --.RS 4 --In open_session part of the module, temporarily restore the security contexts as they were before the previous call of the module\&. Another call of this module without the restore option will set up the new security contexts again\&. --.RE --.PP --nottys --.RS 4 --Do not setup security context of the controlling terminal\&. --.RE --.PP --debug --.RS 4 --Turn on debug messages via --\fBsyslog\fR(3)\&. --.RE --.PP --verbose --.RS 4 --Attempt to inform the user when security context is set\&. --.RE --.PP --select_context --.RS 4 --Attempt to ask the user for a custom security context role\&. If MLS is on, ask also for sensitivity level\&. --.RE --.PP --env_params --.RS 4 --Attempt to obtain a custom security context role from PAM environment\&. If MLS is on, obtain also sensitivity level\&. This option and the select_context option are mutually exclusive\&. The respective PAM environment variables are --\fISELINUX_ROLE_REQUESTED\fR, --\fISELINUX_LEVEL_REQUESTED\fR, and --\fISELINUX_USE_CURRENT_RANGE\fR\&. The first two variables are self describing and the last one if set to 1 makes the PAM module behave as if the use_current_range was specified on the command line of the module\&. --.RE --.PP --use_current_range --.RS 4 --Use the sensitivity level of the current process for the user context instead of the default level\&. Also suppresses asking of the sensitivity level from the user or obtaining it from PAM environment\&. --.RE --.SH "MODULE TYPES PROVIDED" --.PP --Only the --\fBsession\fR --module type is provided\&. --.SH "RETURN VALUES" --.PP --PAM_SUCCESS --.RS 4 --The security context was set successfully\&. --.RE --.PP --PAM_SESSION_ERR --.RS 4 --Unable to get or set a valid context\&. --.RE --.PP --PAM_USER_UNKNOWN --.RS 4 --The user is not known to the system\&. --.RE --.PP --PAM_BUF_ERR --.RS 4 --Memory allocation error\&. --.RE --.SH "EXAMPLES" --.sp --.if n \{\ --.RS 4 --.\} --.nf --auth required pam_unix\&.so --session required pam_permit\&.so --session optional pam_selinux\&.so -- --.fi --.if n \{\ --.RE --.\} --.SH "SEE ALSO" --.PP --\fBexecve\fR(2), --\fBtty\fR(4), --\fBpam.d\fR(5), --\fBpam\fR(8), --\fBselinux\fR(8) --.SH "AUTHOR" --.PP --pam_selinux was written by Dan Walsh <dwalsh@redhat\&.com>\&. diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml index 3aa632c..7ec5daf 100644 --- a/modules/pam_selinux/pam_selinux.8.xml @@ -2420,10 +2093,10 @@ index a20c5f7..a69e1d6 100644 </para> </refsect1> diff --git a/modules/pam_wheel/pam_wheel.8.xml b/modules/pam_wheel/pam_wheel.8.xml -index 0e89002..c73aa7d 100644 +index b42e27d..86f2828 100644 --- a/modules/pam_wheel/pam_wheel.8.xml +++ b/modules/pam_wheel/pam_wheel.8.xml -@@ -225,7 +225,7 @@ su auth required pam_unix.so +@@ -210,7 +210,7 @@ su auth required pam_unix.so <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> diff --git a/debian/patches/do_not_check_nis_accidentally b/debian/patches/do_not_check_nis_accidentally deleted file mode 100644 index 5ef39a00..00000000 --- a/debian/patches/do_not_check_nis_accidentally +++ /dev/null @@ -1,29 +0,0 @@ -From: Sam Hartman <hartmans@debian.org> -Date: Mon, 11 Sep 2023 14:00:42 -0600 -Subject: do_not_check_nis_accidentally - -Patch for Debian bug #469635 - -Always call _unix_getpwnam() consistent with the value of the 'nis' -option, so that we only grab from the backends we're expecting. - -Authors: Quentin Godfroy <godfroy@clipper.ens.fr> - -Upstream status: should be submitted ---- - modules/pam_unix/pam_unix_passwd.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/modules/pam_unix/pam_unix_passwd.c b/modules/pam_unix/pam_unix_passwd.c -index 5b81343..78f8e20 100644 ---- a/modules/pam_unix/pam_unix_passwd.c -+++ b/modules/pam_unix/pam_unix_passwd.c -@@ -660,7 +660,7 @@ pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, const char **argv) - return PAM_USER_UNKNOWN; - } else { - struct passwd *pwd; -- _unix_getpwnam(pamh, user, 1, 1, &pwd); -+ _unix_getpwnam(pamh, user, 1, on(UNIX_NIS, ctrl), &pwd); - if (pwd == NULL) { - pam_syslog(pamh, LOG_DEBUG, - "user \"%s\" has corrupted passwd entry", diff --git a/debian/patches/pam-limits-nofile-fd-setsize-cap b/debian/patches/pam-limits-nofile-fd-setsize-cap index 8b466254..866ff1e3 100644 --- a/debian/patches/pam-limits-nofile-fd-setsize-cap +++ b/debian/patches/pam-limits-nofile-fd-setsize-cap @@ -45,10 +45,10 @@ Last-Update: 2015-04-22 1 file changed, 8 insertions(+) diff --git a/modules/pam_limits/pam_limits.c b/modules/pam_limits/pam_limits.c -index bb81559..60c809b 100644 +index adda08b..a58d424 100644 --- a/modules/pam_limits/pam_limits.c +++ b/modules/pam_limits/pam_limits.c -@@ -460,6 +460,14 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int +@@ -459,6 +459,14 @@ static void parse_kernel_limits(pam_handle_t *pamh, struct pam_limit_s *pl, int pl->limits[i].src_hard = LIMITS_DEF_KERNEL; } fclose(limitsfile); diff --git a/debian/patches/series b/debian/patches/series index bc458602..8f2a05e1 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,23 +1,21 @@ pam_unix_dont_trust_chkpwd_caller.patch make_documentation_reproducible.patch -007_modules_pam_unix -008_modules_pam_limits_chroot -021_nis_cleanup +0003-pam_unix-obscure-checks.patch 022_pam_unix_group_time_miscfixes 026_pam_unix_passwd_unknown_user -do_not_check_nis_accidentally -027_pam_limits_better_init_allow_explicit_root 031_pam_include -032_pam_limits_EPERM_NOT_FATAL 036_pam_wheel_getlogin_considered_harmful -hurd_no_setfsuid +027_pam_limits_better_init_allow_explicit_root +pam-limits-nofile-fd-setsize-cap +032_pam_limits_EPERM_NOT_FATAL +008_modules_pam_limits_chroot 040_pam_limits_log_failure 045_pam_dispatch_jump_is_ignore +hurd_no_setfsuid PAM-manpage-section update-motd -no_PATH_MAX_on_hurd lib_security_multiarch_compat -pam-limits-nofile-fd-setsize-cap +no_PATH_MAX_on_hurd fix-autoreconf.patch nullok_secure-compat.patch pam_mkhomedir_stat_before_opendir |